package com.davidniu.lesson02;

import com.davidniu.lesson02.utils.JdbcUtils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class SQL注入 {
    public static void main(String[] args) {
        //正常情况
        //login("David Niu","123456");
        login(" 'or ' 1=1"," 'or ' 1=1");
    }
    //登录业务
    public static void login(String username,String password) {
        Connection conn = null;
        Statement stmt = null;
        ResultSet rs = null;

        try {
            conn = JdbcUtils.getConnection();
            Statement st = conn.createStatement();
            //SELECT * FROM users WHERE `NAME` = 'David Niu' AND `PASSWORD` = '123456';
            String sql = "SELECT * FROM users WHERE `NAME` = '"+username+"' AND `PASSWORD` = '"+password+"';";
            System.out.println(sql);
            rs = st.executeQuery(sql);
            while(rs.next()) {
                System.out.println("id = "+rs.getInt("id"));
                System.out.println("Name = "+rs.getString("NAME"));
                System.out.println("Password = "+rs.getString("PASSWORD"));
                System.out.println("Email = "+rs.getString("email"));
                System.out.println("Birthday = "+rs.getDate("birthday"));
                System.out.println("======================");
            }
        } catch(SQLException e){
            e.printStackTrace();
        } finally {
            JdbcUtils.release(conn, stmt, rs);
        }
    }

}
